The emails try to lure the victim to click a link that will redirect through an intermediate site into pages that host the Angler Exploit Kit (later switched to "Goon" Exploit kit). The kits will exploit Java, Flash or Silverlight vulnerabilities and try to load an encrypted executable, to help evade detection.

Although the attacks are large scale (Websense Cloud Email Security have detected and blocked a few hundreds of thousands of these messages per campaign burst), our telemetry shows a heavier focus on UK targets in the lure stage.

These campaigns might be attributed to the "ru:8080" a.k.a "/news/" gang which have been prominent users of BlackHole Exploit Kit, then Magnitude Exploit Kit, as described in our previous blog.

The related campaigns we have observed so far start with these lures:

Fake Skype messages

with subjects such as:

You received a new message from Skype voicemail service

Fake Evernote Messages

With subjects such as:

"Image has been sent"

"Image has been sent <user@domain.tld>"

They carry URLs such as:

hxxp://itsrobinhoodd .com/1.html

These have a simple JavaScript to redirect to the next stage

The next stage is where the switch from Angler Exploit Kit to Goon Exploit Kit can be seen

hxxp://merdekapalace .com/1.txt

Redirected to the Angler Exploit Kit page, with the typical .ru:8080 hosts:

Checking in Virus Total to provide context about AV coverage for this malware, we can see detection when first seen is 7/50, and it looks like a Zeus variant.

For analysis of a similar SilverLight exploit, see our previous blog post

We have seen evidence and reports of the "ru:8080" gang switching to Angler Exploit Kit as far back as December 2013, as independent researcher "Kafeine" mentioned in this post, but we have not noticed any large scale email attacks until recently (we have seen some web based attacks, in somewhat small scale). The "ru:8080" criminal gang typically pushes trojans such as Cridex, Zeus GameOver, Click-Fraud trojans like ZeroAccess, and we have seen instances in the past of Ransomware such as RansomLock and worms like Andromeda.

It looks like after a period of relatively little use of exploit kits, cyber criminals resume use of different exploit kits to deliver malware in email based attacks. However, the switch from one exploit kit to the other indicates several possibilities, one being that continuing to use a single Malware-as-a-Service for a long period is deemed too risky to maintain a profitable operation. Alternatively, the attackers are evaluating multiple exploit kits to determine which works the best, or multiple attackers may be leveraging the same bot-net and redirect structures.

Another somewhat interesting detail - according to Websense email telemetry, we see a relatively heavy bias from the attackers towards targets located in the UK, followed by US and Germany

What is more important is that the attackers need to change ALL their techniques to try to slip by Websense Triton protection, since it's enough to disrupt the attack in one stage to prevent infection.